Remote Network Locations with WAN Link

If you have a deployment where the HQ and remote network location(s) are directly connected over a WAN link and each of these locations is secured by Prisma Access, to ensure optimal routing (with eBGP) you must:
  • Add a static route to the eBGP router address. In addition to the default route that sends all traffic to Prisma Access, you must add a static route locally on the IPSec-capable device or router at the remote network(s).
  • Filter the routes that are advertised from the IPSec capable device or router at HQ to the eBGP peers at other directly connected locations. As a best practice, configure the BGP router at HQ to only advertise routes that you want to allow across the WAN link; you ensure that the eBGP router at HQ does not advertise the routes it learns from Prisma Access to other remote network location(s) secured by Prisma Access. In this example, the eBGP router at HQ only advertises routes that employees from the branch office will need to connect to the servers (subnets) at HQ.
The following illustration shows a retail business with two paths to the servers at the HQ location. One path is a WAN link that provides direct connectivity for employees accessing servers at HQ, and the other path secures traffic generated by other users at this location. For example, traffic generated by customers accessing the retailer’s website over Wifi or using the kiosk at the branch office to check inventory. This traffic is sent through the tunnel to the remote network and on to HQ.
To set up this configuration, create a remote network connection and create a service connection to onboard the remote network and HQ locations. The details below show how to set up the router configuration at each location to ensure optimal routing:
  1. Add the static routes on your router or on-premises IPSec capable device at the remote network location.
    If you have a Palo Alto Networks firewall at the edge of the WAN link, on
    Virtual Routers
    Static Routes
    the static routes:
  2. Configure the routes that you want to advertise to another directly connected location over the WAN link.
    In this example, you need to configure this on the at HQ location. If you have an on-premises Palo Alto Networks firewall at the edge of the WAN link, you can set up route redistribution and configure which BGP routes to export on
    Virtual Routers

Recommended For You